Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/PE/Low

Template:Doc:NIST SP 800-53r3 Appendix F/PE-1

Determine if: (i) the organization develops and formally documents physical and environmental protection policy; (ii) the organization physical and environmental protection policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented physical and environmental protection policy to elements within the organization having associated physical and environmental protection roles and responsibilities; (iv) the organization develops and formally documents physical and environmental protection procedures; (v) the organization physical and environmental protection procedures facilitate implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (vi) the organization disseminates formal documented physical and environmental protection procedures to elements within the organization having associated physical and environmental protection roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities].

Determine if: (i) the organization defines the frequency of physical and environmental protection policy reviews/updates; (ii) the organization reviews/updates physical and environmental protection policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of physical and environmental protection procedure reviews/updates; (iv) the organization reviews/updates physical and environmental protection procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-2

Determine if: (i) the organization identifies areas within the facility that are publicly accessible; (ii) the organization develops and keeps current lists of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); and (iii) the organization issues authorization credentials (e.g., badges, identification cards, smart cards).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; authorization credentials; list of areas that are publicly accessible; other relevant documents or records].

Determine if: (i) the organization defines the frequency for review and approval of the physical access list and authorization credentials for the facility; (ii) organization reviews and approves the access list and authorization credentials in accordance with the organization-defined frequency; and (iii) the organization removes from the access list personnel no longer requiring access.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-3

Determine if: (i) the organization enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible); (ii) the organization verifies individual access authorizations before granting access to the facility; (iii) the organization controls entry to the facility containing the information system using physical access devices (e.g., keys, locks, combinations, card readers) and/or guards; (iv) the organization controls access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk; and (v) the organization secures keys, combinations, and other physical access devices.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system entry and exit points; storage locations for physical access devices; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with physical access control responsibilities].

Test: [SELECT FROM: Physical access control capability; physical access control devices].

Determine if: (i) the organization defines the frequency for conducting inventories of physical access devices; (ii) the organization inventories physical access devices in accordance with the organization-defined frequency; (iii) the organization defines the frequency of changes to combinations and keys; and (iv) the organization changes combinations and keys in accordance with the organization-defined frequency, and when keys are lost, combinations are compromised, or individuals are transferred or terminated.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; security plan; physical access control logs or records; inventory records of physical access devices; records of key and lock combination changes; storage locations for physical access devices; other relevant documents or records].

Test: [SELECT FROM: Physical access control devices].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-6

Determine if: (i) the organization monitors physical access to the information system to detect and respond to physical security incidents; (ii) the organization defines the frequency to review physical access logs; (iii) the organization reviews physical access logs in accordance with the organization-defined frequency; and (iv) the organization coordinates results of reviews and investigations with the organization's incident response capability.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; security plan; physical access logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities].

Test: [SELECT FROM: Physical access monitoring capability].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-7

Determine if the organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].

Test: [SELECT FROM: Visitor access control capability].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-8

Determine if: (i) the organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); (ii) the organization defines the frequency to review visitor access records; (iii) the organization reviews the visitor access records in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; security plan; facility access control records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing physical access records].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-12

Determine if: (i) the organization employs automatic emergency lighting for the information system that activates in the event of a power outage or disruption; (ii) the organization employs automatic emergency lighting for the information system that covers emergency exits and evacuation routes within the facility; and (iii) the organization maintains the automatic emergency lighting for the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency lighting; emergency lighting documentation; emergency lighting test records; emergency exits and evacuation routes; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with emergency planning responsibilities].

Test: [SELECT FROM: Emergency lighting capability].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-13

Determine if: (i) the organization employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and (ii) the organization maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; test records of fire suppression and detection devices/systems; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-14

Determine if: (i) the organization defines the acceptable temperature and humidity levels within the facility where the information system resides; (ii) the organization maintains temperature and humidity levels within the facility where the information system resides in accordance with organization-defined acceptable levels; (iii) the organization defines the frequency to monitor temperature and humidity levels; and (iv) the organization monitors the temperature and humidity levels within the facility where the information system resides in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity control; security plan; temperature and humidity controls; facility housing the information system; temperature and humidity controls documentation; temperature and humidity records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-15

Determine if: (i) the organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible and working properly; and (ii) key personnel within the organization have knowledge of the master water shutoff valves.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the information system; master shutoff valves; list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system; master shutoff valve documentation; other relevant documents or records].

Interview: [SELECT FROM: Organization personnel with physical and environmental protection responsibilities].

Test: [SELECT FROM: Master water-shutoff valves; process for activating master water-shutoff].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-16

Determine if: (i) the organization defines the types of information system components to be authorized, monitored, and controlled as such components are entering or exiting the facility; (ii) the organization authorizes, monitors, and controls organization-defined information system components entering and exiting the facility; and (iii) the organization maintains records of information system components entering and exiting the facility.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing delivery and removal of information system components from the facility; security plan; facility housing the information system; records of items entering and exiting the facility; other relevant documents or records].

Interview: [SELECT FROM: Organization personnel with responsibilities for controlling information system components entering and exiting the facility].

Test: [SELECT FROM: Process for controlling information system-related items entering and exiting the facility].